Nyxem.E
Email-Worm.Win32.Nyxem.E is a worm that runs on Win32. Behavior The Nyxem.E worm spreads via the Internet as an attachment to infected messages and via open network resources. It sends itself to email addresses harvested from the victim's computer. The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size. Installation Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g. %System%\Sample.zip When installing, the worm copies itself to the Windows root, system and start up directories under the following names: %System%\New WinZip File.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exe %System%\WINZIP_TMP.EXE %User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe %Windir%\rundll16.exe The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine: HKLM\Software\Microsoft\Windows\CurrentVersion\Run "ScanRegistry"="scanregw.exe /scan" The worm also modifies the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "WebView"="0" "ShowSuperHidden"="0" Propagation via email The worm harvests addresses from files with the following extensions: dbx eml htm imh mbx msf msg nws oft txt vc It also scans files if the names contain the following strings: content temporary When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server. Infected messages Message subject: *Hot Movie* A Great Video Arab sex DSC-00465.jpg eBook.pdf Fuckin Kama Sutra pics Fw: Fw: DSC-00465.jpg Fw: Funny :) Fw: Picturs Fw: Real show Fw: SeX.mpg Fw: Sexy Fwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 My photos Part 1 of 6 Video clipe Photos Re: Re: Sex Video School girl fantasies gone bad The Best Videoclip Ever You Must View This Videoclipe! Message body: : ----- forwarded message ----- : >> forwarded message : forwarded message attached. : Fuckin Kama Sutra pics : hello, i send the file. Bye : Hot XXX Yahoo Groups : how are you? i send the details. : i attached the details. Thank you. : i just any one see my photos. It's Free :) : Note: forwarded message attached. You Must View This Videoclip! : Please see the file. : Re: Sex Video : ready to be FUCKED ;) : The Best Videoclip Ever : VIDEOS! FREE! (US$ 0,00) : What? Attachment name: 007.pif 04.pif 3.92315089702606E02.UUE 677.pif Attachments001.B64 document.pif DSC-00465.Pif DSC-00465.pIf eBook.PIF eBook.Uu image04.pif New_Document_file.pif Original Message.B64 photo.pif School.pif SeX.mim WinZip.BHX Word_Document.hqx Word_Document.uu Propagation via open network resources The worm copies itself to the following network resources as Winzip_TMP.exe: ADMIN$ C$ Other If the worm detects any of the registry values listed below on the victim machine, it will delete them: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run APVXDWIN avast! AVG7_CC AVG7_EMC AVG7_Run AVG_CC Avgserv9.exe AVGW BearShare defwatch DownloadAccelerator kaspersky KAVPersonal50 McAfeeVirusScanService NAV Agent OfficeScanNT Monitor PCCClient.exe pccguide.exe PCCIOMON.exe PccPfw Pop3trap.exe rtvscn95 ScanInicio SSDPSRV TM Outbreak Agent tmproxy Vet Alert VetTray vptray NPROTECT ccApp ScriptBlocking MCUpdateExe VirusScan Online MCAgentExe VSOCheckTask McRegWiz CleanUp MPFExe MSKAGENTEXE MSKDetectorExe McVsRte The worm also terminates active applications if the application name contains one of the following strings: kaspersky mcafee norton removal scan symantec trend micro virus fix It will delete all files from the following folders: %ProgramFiles%\DAP\*.dll %ProgramFiles%\BearShare\*.dll %ProgramFiles%\Symantec\LiveUpdate\*.* %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.* %ProgramFiles%\Norton AntiVirus\*.exe %ProgramFiles%\Alwil Software\Avast4\*.exe %ProgramFiles%\McAfee.com\VSO\*.exe %ProgramFiles%\McAfee.com\Agent\*.* %ProgramFiles%\McAfee.com\shared\*.* %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe %ProgramFiles%\Trend Micro\Internet Security\*.exe %ProgramFiles%\NavNT\*.exe %ProgramFiles%\Morpheus\*.dll %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe %ProgramFiles%\Grisoft\AVG7\*.dll %ProgramFiles%\TREND MICRO\OfficeScan\*.dll %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar All of this actions make the victim machine more vulnerable to subsequent attacks. It may also download updates to itself via the Internet, without the knowledge or consent of the user. It will also block the mouse and the keyboard. On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions: .doc .xls .mdb .mde .ppt .pps .zip .rar .pdf .psd .dmp Files corrupted by the worm contain the following text: DATA Error 0F 94 93 F4 F5 Media Other Variants *Email-Worm.Win32.Nyxem.A Category:Win32 Category:Win32 worm Category:Worm Category:Email worm Category:Microsoft Windows Category:Internet worm